Name:Unusually Long Content-Type Length id:57a0a2bf-353f-40c1-84dc-29293f3c35b7 version:3 date:2024-10-17 author:Bhavin Patel, Splunk status:experimental type:Anomaly Description:The following analytic identifies unusually long strings in the Content-Type HTTP header sent by the client to the server. It uses data from the Stream:HTTP source, specifically evaluating the length of the `cs_content_type` field. This activity is significant because excessively long Content-Type headers can indicate attempts to exploit vulnerabilities or evade detection mechanisms. If confirmed malicious, this behavior could allow attackers to execute code, manipulate data, or bypass security controls, potentially leading to unauthorized access or data breaches. Data_source:
search:| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web by Web.src Web.dest Web.url Web.http_user_agent Web.http_content_type | `drop_dm_object_name("Web")` | eval http_content_type_length = len(http_content_type) | where http_content_type_length > 100 | table firstTime lastTime src dest http_content_type_length http_content_type url http_user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `unusually_long_content_type_length_filter`
how_to_implement:This particular search leverages data extracted from Stream:HTTP. You must configure the http stream using the Splunk Stream App on your Splunk Stream deployment server to extract the cs_content_type field. known_false_positives:Very few legitimate Content-Type fields will have a length greater than 100 characters. References: drilldown_searches:
: tags: analytic_story: - 'Apache Struts Vulnerability' asset_type:Web Server confidence:50 impact:50 message:Unusually Long Content-Type Length ($http_content_type_length$ characters) In Web Request from $src$ observable: name:'dest' type:'Hostname' - role: - 'Victim' name:'src' type:'Hostname' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'cs_content_type' - 'endtime' - 'src_ip' - 'dest_ip' - 'url' risk_score:25 security_domain:network
